7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.002 Low
EPSS
Percentile
56.6%
Severity: High
Date : 2020-02-08
CVE-ID : CVE-2019-14868
Package : ksh
Type : arbitrary command execution
Remote : No
Link : https://security.archlinux.org/AVG-1095
The package ksh before version 2020.0.0-2 is vulnerable to arbitrary
command execution.
Upgrade to 2020.0.0-2.
The problem has been fixed upstream but no release is available yet.
None.
A flaw was found in ksh version 2020.0.0 in the evaluation of certain
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Services and
applications that allow remote unauthenticated attackers to provide one
of those environment variables could allow them to exploit this issue
remotely.
An attacker is able to execute arbitrary commands that are blacklisted
on the affected host.
https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2
https://security.archlinux.org/CVE-2019-14868
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.002 Low
EPSS
Percentile
56.6%